SQL Injection

Insights, techniques and other information:

  1. SQLI exploitation step by step
    1. http://www.hackingloops.com/hacking-class-14-how-to-deface-websites-using-sql-and-php-scripting.html
  2. Blind SQLI using SMB
    1. http://jesse.m6.net/blog/?p=14
  3. SMB\Ntlm relay using SQLI
    1. http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-whitepaper.pdf
    2. https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/
  4. Getting information out of the database in an out-of-band way by generating DNS\HTTP or other protocol packets, containing the database information, from the database to your evil server using the SQLI
    1. https://www.defcon.org/images/defcon-15/dc15-presentations/dc-15-karlsson.pdf
  5. Data Retrieval over DNS in SQL Injection Attacks in all types of databases…people would say that they are protected if xp_cmdshell is disabled but xp_dirtree and others which are enabled can be used
    1. http://arxiv.org/ftp/arxiv/papers/1303/1303.3047.pdf
  6. The OPENROWSET and OPENDATASOURCE functions allow a user in SQL Server to open remote data sources. the OPENROWSET function can be used to connect to an arbitrary IP address/port including the source IP address and port of the attacker. Those functions are usefull even more then procedures in case you dont have ‘;’, in such cases you can still use a function in the middle of the select
  7. LINQ to SQL passes all data to the database via SQL parameters. So, although the SQL query is composed dynamically, the values are substitued server side through parameters safeguarding against the most common cause of SQL injection attacks…..SHORTLY: you cant do sql injection when LINQ is used
  8. NHibernate is immune to SQLI unless native sql is used
    1. http://stackoverflow.com/questions/2516250/sql-injection-with-plain-vanilla-nhibernate
  9. Sql Smuggling and techniques for sqli bypassing doubling apostrophes
    1. http://www.it-docs.net/ddata/4954.pdf
    2. https://www.owasp.org/images/d/d4/OWASP_IL_2007_SQL_Smuggling.pdf
  10. “MySQL Server supports some variants of C-style comments. These enable you to write code that includes MySQL extensions, but is still portable, by using comments of the following form:/*! MySQL-specific code */
    In this case, MySQL Server parses and executes the code within the comment as it would any other SQL statement, but other SQL servers will ignore the extensions”

    1. https://dev.mysql.com/doc/refman/5.1/en/comments.html
  11. How to enable disable xp_cmdshell via gui in microsoft sql server:
    start->all programs->microsoft sql server (2005)->
    configuration tools->Sql server surface area configuration->
    surface area configuration for features->
    buttom feature is xp_cmdshell
  12. To have unicode string in db, the field shud be defined nvarchar instead of varchar…if they define it as varchar then passing unicode to it will convert the unicode to ascii which may be used to pass blacklist
  13. Using xp_DirTree in sql server
    1.  http://www.playwithsql.com/2011/06/play-with-xpdirtree-to-get-files-and.html
  14. You think you are protected from SQLI when using prepared statements\parametrized queries? Well if you use it to call store procedures or function then it might still be exploitable if the stored procedure\function builds sql query dynamicly inside it and executes it.
  15. Its possible to execute operating system code in microsoft access sql injection however it requires some security settings in the microsoft access to be enabled and they are disabled by default.

Exploitation Tools:

  1. Havij – easy to use but not as strong as sqlmap
    1. http://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/
  2. Pangolin – easy to use but not as strong as sqlmap
    1. http://thehackernews.com/2011/04/pangolin-323-automatic-sql-injection.html
  3. Sqlmap – seems to be the strongest tool
    1. http://sqlmap.org/
  4. Sqlninja – can be good for microsoft sql server
    1. http://sqlninja.sourceforge.net/sqlninja-howto.html
  5. Sqli Hunter – searchs for SQLI using google dorks
    1. http://sourceforge.net/projects/sqlihunter/
  6. Dork searcher – searchs for SQLI using google dorks
    1. http://sourceforge.net/projects/dorksearcher/
  7. ICFsqli – sqli scanner
    1. http://sourceforge.net/projects/icf-sqli/

SQLI cheat sheets:

  1. MySql
    1. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
  2. Microsoft Access
    1. http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
  3. Oracle
    1. http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet
  4. Microsoft Sql Server
    1. http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
  5. Postgres
    1. http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet
  6. Ingres
    1. http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet
  7. DB2
    1. http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet
  8. Informix
    1. http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s